[YARN-10816] Avoid doing delegation token ops when yarn.timeline-service.http-authentication.type=simple - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.4.0
Fix Version/s: 3.4.0
Component/s: timelineclient
Labels:
None

Hadoop Flags:

Reviewed

Description

~~YARN-10339~~ introduced changes to ensure that PseudoAuthenticationHandler is used in TimelineClient when yarn.timeline-service.http-authentication.type=simple

PseudoAuthenticationHandler doesn't support delegation token ops like get, renew and cancel since those ops strictly require SPNEGO auth to work. We don't use timeline delegation tokens when simple auth is used.

Prior to ~~YARN-10339~~, Timeline delegation tokens were unnecessarily used when yarn.timeline-service.http-authentication.type=simple, but hadoop security was enabled. After ~~YARN-10339~~, the tokens are not used when yarn.timeline-service.http-authentication.type=simple.

In a rolling upgrade scenario, we can have a client which doesn't have ~~YARN-10339~~ changes submitting an application and requests a Timeline delegation token even when yarn.timeline-service.http-authentication.type=simple. RM on the other hand can have ~~YARN-10339~~ changes and so will result in error while trying to renew the token with PseudoAuthenticationHandler.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

YARN-10816.002.patch
10/Jun/21 08:52
6 kB
Tarun Parimi
YARN-10816.001.patch
10/Jun/21 06:12
6 kB
Tarun Parimi

Issue Links

is caused by

YARN-10339 Timeline Client in Nodemanager gets 403 errors when simple auth is used in kerberos environments

Resolved

Activity

People

Assignee:: Tarun Parimi

Reporter:: Tarun Parimi

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 10/Jun/21 04:40

Updated:: 14/Jun/21 07:26

Resolved:: 12/Jun/21 13:20